Warning: Your browser does not support the HTML5 audio element, please upgrade.

Nate Otto is scribing.

Manu Sporny: On the Agenda today: Dissenting opinions have become public on the verifiable claims stuff; Some discussion on JOSE/JWT; Verifiable Claims Working Group F2F agenda prepping for success if it's approved; Any other business, including how we might coordinate with rebooting web of trust workshop and Internet Identity Workshop. ✪

Topic: Review All Dissenting Opinions

Manu Sporny: The good news as of two weeks ago was that Web Payments IG decided to push VCTF charter / entire proposal onto W3C Management to approve and send to W3C membership for a vote ✪

Manu Sporny: IG Passed it almost unanimously; there were three dissenting opinions ✪

Manu Sporny: One came from Microsoft, strong; One came from Google, not as strong, around process/incubation; 3rd one came from W3C Staff that they couldn't support the charter as is. ✪

Manu Sporny: Now that the minutes are public we can talk more about each company's objection ✪

Manu Sporny: Microsoft: Mike Champion said MS's opinion is that the work is unnecessarily, overlaps too heavily with JOSE/JWT work; There are plenty of ways to express claims out there. ✪

Manu Sporny: This was repeated at the blockchains/identity workshop where several MS employees expressed they hadn't heard from any of their clients that this was necessary. They expect industry verticals to figure out making claims work across those verticals instead of standardization. ✪

Manu Sporny: There were also a few process concerns about whether this was incubated long enough and had enough cross-pollenation with JWT work. ✪

Manu Sporny: This opinion is not unversally held across the Microsoft organization. But the people who are speaking up against the work have been heavily involved in JOSE/JWT work. ✪

Manu Sporny: We should get them talking to one another; this might be enough to remove Microsoft's objection to the work ✪

Dan Burnett: There is in all cases working with technology, there is a difference between a technology and a solution that uses a technology. JWT is a technology, it's not the solution that we need. It's one possible grammar that can be used in a solution. ✪

Dan Burnett: Michael said this too, that we don't have "real skin in the game from the members who would have to implement and use the resulting specs" ✪

Manu Sporny: Chris felt the work needed to be incubated more. He felt that we don't have enough variation in members outside of education who want to see the work happen. Education is primarily the group we should focus on; if that solution works, we should expand to other sectors (finance, healthcare) after getting more members from those setors. ✪

Manu Sporny: It was a bit confusing why Chris felt there wasn't support in financial services sector because this was being considered in the Web Payments IG. ✪

Manu Sporny: Other objection -- we haven't incubated this work enough. We asked twice "how much incubation is enough". there was no solid answer. More "we'll know it when we see it" not "once you have this deployed in three companies for 10000 people" ✪

Manu Sporny: We did note that the most approved charter in W3C history was the Web Payments IG which had been incubated for 4 years, which was opposed by Google and Microsoft, and was called by them an example of work that began too soon. If that doesn't meet the bar for incubation, what does? ✪

Manu Sporny: My guess is that most of it might boil down to Google wasn't involved in the incubation, so it wasn't incubated long enough. Problem: they don't want to be involved in the work because it exposes them to patent concerns and issues. Google and Microsoft didn't form the Web Payments work until the WG formed -- or maybe only just before at the very end of the IG phase. ✪

Manu Sporny: In any case, it seemed a lot of their posiiton was "why weren't we consulted" -- when they were consulted and didn't respond. Google did have the opinion that the work was important and they wanted it to continue. ✪

Manu Sporny: Over the next month or two, we need to be very clear about the reasons some organizations are exploring LD signatures over JWT. Try to stay as agnostic as possible in the working group. "If you want to use LD Signatures, here's how you sign a claim" "If you want to use JWT this is how you sign a claim" ✪

Manu Sporny: We've been looking at JWT for a number of years, have discovered some issues that have caused us to move away from it. ✪

Manu Sporny: Background: JWT is a base64 encoded blob -- you can't see the content unless you decode it ✪

Dave Longley: Potentially a problem or limitation for public credentials ✪

Manu Sporny: Orgs like CTI want to be able to publish credential templates to the web and have them be searchable, picked up by search crawlers. It's not impossible. ✪

Shane McCarron: Also important for things like Coupons and search engines... schema.org model is so well understood by the industry now I am loathe to try to turn that boat ✪

Manu Sporny: JWT must be base64 encoded because whitespace matters, where it doesn't for Linked Data signatures. ✪

Manu Sporny: We expect JWT to be a point of contention throughout the work. The more people who are tuned into why this is a point of contention, the better. We don't want folks in this group to go into the discussion completely unaware of the tradeoffs. ✪

Dan Burnett: Specifically about the example as well - It would be nice to include what the public key is so people can verify the signature. Other thing is that you used RS256 algorithm, which is the most widespread, but IETF is working very hard to encourage public posted examples to use stronger encryption. Can we use EC256 or one of the EC variants instead? ✪

Dan Burnett: We may never be in a position in a spec to recommend specific algorithms, but even in the case of having examples, it's good to have the examples do what you expect people to do, because newbies often use those as a clue about what algorithm to pick. ✪

Manu Sporny: Other points -- there is concern about NSA backdooring into some of the curves -- Bitcoin community is particularly concerned about that. There's no Sec256k1 (sp) implementation for JWT that I know of as well. These are all kind of concerns we should raise as issue markers. If we use something like ES256, we could say "some people are concerned about NSA backdooring of these algorithms; if you have those concerns you can use another" ✪

Dan Burnett: Ah, so you had equally valid concerns going in a different direction. If you look at ___ there's a note that says "watch this space because we may need to upgrade to something else". We just want to show whatever the best up-to-date recommendations are, whatever they end up being. ✪

Manu Sporny: We're looking at a bunch of rapidly evolving parts of the signatures space. Good point. This is up to the proposed working group to decide, if any recommendation. We may say "look at this other page for the most up to date recommendation because the lifetime of anything we could use right now is short" ✪

Manu Sporny: The other ask of the group is please participate in this work, either doing a review of the paper or putting your thoughts in. ✪

Manu Sporny: Please insert link to which paper you would like people to view here in the log. ✪

David Ezell: (Right) - we've talked about a number of things, like web couponing. Having this data structured so that people can find it is very important. ✪

Nate Otto: My question - been digging into signature mechanisms - Linked Data Signature might work very well for OpenBadges stuff, primarily because it is good at being embedded at different levels. For the purposes of this document, should we be actively identifying parts where JWT are problematic? [scribe assist by Manu Sporny] ✪

Manu Sporny: Probably not in this document, but in the analysis document, we'll want to do that. ✪

Manu Sporny: This analysis doc we're putting together will contain all the reasons to use LD Signatures or JWT, and what you're talking about would be super helpful. ✪

Manu Sporny: We'll likely start out with a google doc, stay tuned for the link ✪

Nate Otto: Google docs is cool, but terrible for code -- found this other one that is pretty cool for editing code in markdown: usecanvas.com/ ✪

Shane McCarron: Apropos of nothing - check out this for shared editing and annotation: https://dokie.li/✪

Manu Sporny: We put out this blog post where we went through and documented the current state of the JOSE stack talking about the benefits and drawbacks. Put this in as input to the JOSE WG as concerns, and we did not get a response from the group, nothing significant beyond "yeah we're looking into it" ✪

Manu Sporny: None of the specs were changed as result to input -- particularly because we were asking for big changes, and they were at the end of the standardization process. ✪

Topic: Verifiable Claims Face-to-Face Agenda

Manu Sporny: This topic comes with a huge caveat: There is no such thing as the VCWG ✪

Manu Sporny: We are currently chatting with W3C staff/mgmt to see how the proposal can be put forward to W3C membership for a vote. We're effectively in a holding pattern for W3C management for changes they would like to see made to the charter. ✪

Manu Sporny: Wendy Seltzer is the point person on this, currently engaged at IETF in Berlin this week, so we don't expect quick response. We've already discussed this in this group, so we'll likely be able to respond very quickly to what she says. ✪

Manu Sporny: Then it's up to W3C management to put it up for a vote. W3C management felt it was unlkely to get a vote closed by TPAC, but we might get the vote open by TPAC. we're talking about getting some space in the Web Payments IG ✪

Manu Sporny: This is a link for a proposed full day agenda, but we're likely to want to propose a half day agenda as well ✪

Manu Sporny: Waiting for W3C management to provide feedback on what type of charter would mostly likely be able go through a W3C membership vote. ✪

Manu Sporny: It's hard to plan travel on this short notice. Today would be about 8 weeks which is the minimum. ✪

Manu Sporny: We may be asking folks to join the W3C and plan make the travel to TPAC in the near term if we can get the time on the schedule, and our schedule ask will depend on who can come. ✪

Manu Sporny: The agenda draft goes from 8:30 to 5:30/6pm. There's a space for comments/brainstorming at the bottom of that page. Please make comments and things of that nature. We'll probably extend this page to also prototype half-day or two-day agendas as well. ✪

Manu Sporny: There's a blockchain/healthcare workshop in MD in end of September, then immediately after is Rebooting Web of Trust Workshop. Clearly we want a verifiable claims thread through all of those. We want to keep people up to date on what's going on. ✪

Manu Sporny: Clearly some of us are going to miss each of these events. Kind of an open question to folks: think about opportunities to weave VC stuff in with these identity conferences you're going to. If you get a bright idea on a good way to colocate, let us know. ✪

Manu Sporny: Thanks. Any other thoughts on coordinating with other conferences? ✪

Nate Otto: EPIC (internet and Identity conference -- very small, probably not the right people, but they'd be very open to colocating in Bologna end of October) -- the other end of october options might be more attractive. ✪

Manu Sporny: It's very unlikely for people to be able to commit to travel to TPAC, so it's my hope that we can use TPAC to circulate charter, but not likely to be able to get the orgs that really want to participate to TPAC ✪

Nate Otto: BA will not pay for W3C membership until this charter is approved to hold it over their heads, so a non-TPAC F2F would be more ideal for me. ✪